limit compute IAM scope

joecorall · joecorall · commit 85e8486eafdc · 2025-11-26T03:38:32.000-05:00
and enable secure boot
diff --git a/main.tf b/main.tf
@@ -149,12 +149,17 @@ resource "google_compute_instance" "cloud-compose" {
 
   service_account {
     email  = google_service_account.cloud-compose.email
-    scopes = ["cloud-platform"]
+    scopes = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/iam",
+    ]
   }
 
   shielded_instance_config {
     enable_integrity_monitoring = "true"
-    enable_secure_boot          = "false"
+    enable_secure_boot          = "true"
     enable_vtpm                 = "true"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -149,12 +149,17 @@ resource "google_compute_instance" "cloud-compose" {`
`149`	`149`
`150`	`150`	`service_account {`
`151`	`151`	`email = google_service_account.cloud-compose.email`
`152`		`- scopes = ["cloud-platform"]`
	`152`	`+ scopes = [`
	`153`	`+ "https://www.googleapis.com/auth/logging.write",`
	`154`	`+ "https://www.googleapis.com/auth/monitoring.write",`
	`155`	`+ "https://www.googleapis.com/auth/devstorage.read_only",`
	`156`	`+ "https://www.googleapis.com/auth/iam",`
	`157`	`+ ]`
`153`	`158`	`}`
`154`	`159`
`155`	`160`	`shielded_instance_config {`
`156`	`161`	`enable_integrity_monitoring = "true"`
`157`		`- enable_secure_boot = "false"`
	`162`	`+ enable_secure_boot = "true"`
`158`	`163`	`enable_vtpm = "true"`
`159`	`164`	`}`
`160`	`165`	`}`